(version 1)

;; Parameters:
;;   HOME_DIR             the user's home directory
;;   CURRENT_DIR          the current working directory
;;   TORBROWSER_APP_DIR   the TorBrowser.app directory
;;   TORBROWSER_DATA_DIR  the TorBrowser-Data directory

;; TODO: can see all dirs but can download/save only in Downloads (no error reported though!)
;; TODO: printing does not work (Save to PDF does).

(deny default)

(define (home-path aSubPath)
    (path (string-append (param "HOME_DIR") aSubPath)))

(define (home-subpath aSubPath)
    (subpath (string-append (param "HOME_DIR") aSubPath)))

(define (torbrowser-data-dir-path aSubPath)
    (path (string-append (param "TORBROWSER_DATA_DIR") aSubPath)))

(define (torbrowser-data-dir-subpath aSubPath)
    (subpath (string-append (param "TORBROWSER_DATA_DIR") aSubPath)))

(define (torbrowser-app-dir-path aSubPath)
    (subpath (string-append (param "TORBROWSER_APP_DIR") aSubPath)))

(allow file-read*
       (path "/Library/Preferences/com.apple.HIToolbox.plist")
       (path "/Library/Preferences/com.apple.ViewBridge.plist")
       (path "/Library/Preferences/.GlobalPreferences.plist")
       (path "/dev/random")
       (path "/dev/urandom")
       (path "/dev/dtracehelper")
       (path "/private/etc/localtime")
       (path "/private/etc/passwd")
       (path "/private/tmp")
       (path "/private/var/tmp")
       (path (param "HOME_DIR"))
       (subpath "/Library/Audio")
       (subpath "/Library/Fonts")
       (subpath "/System")
       (subpath "/private/var/folders")
       (subpath "/usr/lib")
       (subpath "/usr/share")
       (home-subpath "/Downloads")
       (home-subpath "/Library/Input Methods")
       (home-subpath "/Library/Keyboard Layouts")
       (home-subpath "/Library/Preferences")
       (torbrowser-app-dir-path "")
       (torbrowser-data-dir-path "")
       (torbrowser-data-dir-subpath "/Browser")
       (torbrowser-data-dir-path "/Tor/control_auth_cookie")
)

(allow file-read-metadata
       (home-path "/Desktop")
       (home-path "/Library")
       (home-path "/Library/Saved Application State")
       (path (param "CURRENT_DIR"))
       (path "/")
       (path "/Applications")
       (path "/Users")
       (path "/etc")
       (path "/home")
       (path "/net")
       (path "/private/var/db/.AppleSetupDone")
       (path "/tmp")
       (path "/var")
       (torbrowser-data-dir-path "/Tor/control.socket")
       (torbrowser-data-dir-path "/Tor/socks.socket")
       (path-regex "/private/tmp/Tor[-0-9]*/control.socket")
       (path-regex "/private/tmp/Tor[-0-9]*/socks.socket")
)

(allow file-write-data file-ioctl
       (path "/dev/dtracehelper")
)

(allow file-write*
       (home-subpath "/Downloads")
       (home-path "/Library/Preferences/.GlobalPreferences.plist")
       (torbrowser-data-dir-subpath "/Browser")
       (subpath "/private/var/folders")
       (path-regex (string-append "^" (param "HOME_DIR") "/Library/Preferences/org.mozilla.tor"))
       (path "/Library/Preferences/.GlobalPreferences.plist")
)

(allow iokit-open)

(allow ipc-posix-shm
       (ipc-posix-name "apple.shm.notification_center")
       (ipc-posix-name-regex "^/tmp/com.apple.csseed")
       (ipc-posix-name-regex "^CFPBS:")
       (ipc-posix-name-regex "^apple\.cfprefs\.")
       (ipc-posix-name-regex "^apple\.shm\.cfprefs\.")
       (ipc-posix-name-regex "^AudioIO")
)

(allow mach-lookup)

(allow mach-register
       (local-name "com.apple.CFPasteboardClient")
       (local-name "com.apple.axserver")
       (local-name "com.apple.coredrag")
       (local-name "com.apple.tsm.portname")
)

(allow network-outbound
       (path "/private/var/run/cupsd")
       (torbrowser-data-dir-path "/Tor/control.socket")
       (torbrowser-data-dir-path "/Tor/socks.socket")
       (path-regex "/private/tmp/Tor[-0-9]*/control.socket")
       (path-regex "/private/tmp/Tor[-0-9]*/socks.socket")
)

(allow process-exec*
       (torbrowser-app-dir-path "/Contents/MacOS/firefox")
)

(allow sysctl-read)
